What is claimed is: 

1 . A method for creating a proof of possession confirmation for inclusion 
by a certification authority into a digital certificate, the digital certificate for use by an 
end user, the method comprising: 

receiving, from the certification authority in response to a certificate 
request by the end user, a plurality of data fields corresponding to a target host system, 
the identity of the end user, and a proof of identity possession by the end user; 

analyzing the content of said plurality of data fields; 

verifying the accuracy of said plurality of data fields; and 

if said plurality of data fields is verified as accurate, sending a signed 
object to the certification authority, said signed object comprising the proof of 
possession confirmation, 

2. The method of claim 1 , wherein said plurality of data fields further 
comprises: 

a host name; 

a subject identification; 

a subject public key information; and 

a sealed proof of possession. 
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3 . The method of claim 2, wherein analyzing the content of said plurality 
of data fields further comprises: 

decrypting a proof of possession structure from said sealed proof of 

possession; 

; extracting a password from said sealed proof of possession structure; 

i extracting a key identifier from said proof of possession structure; and 

' calculating a correct key identifier from said subject public key 

! information. 

4. The method of claim 3, wherein the accuracy of said plurality of data 
[q fields is verified if: 

|}{ said host name is matched with an identity of said target host system; 

pj said extracted password is validated as a valid password for the end 

IP user; and 

y 1 said extracted key identifier is matched with said correct key identifier 

p calculated from said subject public key information. 

p 5 . The method of claim 3, wherein said extracted password and said 

^ extracted key identifier are initially symmetrically encrypted. 

1 6. The method of claim 3, wherein said extracted password and said 

2 extracted key identifier are initially asymmetrically encrypted. 

1 7. The method of claim 1 , wherein: 

2 said plurality of data fields includes a password; and 

3 said signed object does not include said password. 
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8. A storage medium encoded with a machine readable computer program 
code for creating a proof of possession confirmation for inclusion by a certification 
authority into a digital certificate, the digital certificate for use by an end user, the 
storage medium including instructions for causing a computer to implement a method, 
the method comprising: 

receiving, from the certification authority in response to a certificate 
request by the end user, a plurality of data fields corresponding to a target host system, 
the identity of the end user, and a proof of identity possession by the end user; 

analyzing the content of said plurality of data fields; 

verifying the accuracy of said plurality of data fields; and 

if said plurality of data fields is verified as accurate, sending a signed 
object to the certification authority, said signed object comprising the proof of 
possession confirmation. 

9. The storage medium of claim 8, wherein said plurality of data fields 
further comprises: 

a host name; 

a subject identification; 

a subject public key information; and 

a sealed proof of possession. 



POU920010018US1 



15 



1 0. The storage medium of claim 9, wherein analyzing the content of said 
plurality of data fields further comprises: 

decrypting a proof of possession structure from said sealed proof of 

possession; 

extracting a password from said sealed proof of possession structure; 
extracting a key identifier from said proof of possession structure; and 
calculating a correct key identifier from said subject public key 

information. 



1 1 . The storage medium of claim 1 0, wherein the accuracy of said plurality 

jS of data fields is verified if: 

p said host name is matched with an identity of said target host system; 

pj said extracted password is validated as a valid password for the end 

5k user; and 

%4 said extracted key identifier is matched with said correct key identifier 

0 calculated from said subject public key information. 

[II 12. The storage medium of claim 1 0, wherein said extracted password and 

|L said extracted key identifier are initially symmetrically encrypted. 

1 13. The storage medium of claim 1 0, wherein said extracted password and 

2 said extracted key identifier are initially asymmetrically encrypted. 

1 14. The storage medium of claim 8, wherein: 

2 said plurality of data fields includes a password; and 

3 said signed object does not include said password. 
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15. A computer data signal for creating a proof of possession confirmation 
for inclusion by a certification authority into a digital certificate, the digital certificate 
for use by an end user, the computer data signal comprising code configured to cause a 
processor to implement a method, the method comprising: 

receiving, from the certification authority in response to a certificate 
request by the end user, a plurality of data fields corresponding to a target host system, 
the identity of the end user, and a proof of identity possession by the end user; 

analyzing the content of said plurality of data fields; 

verifying the accuracy of said plurality of data fields; and 

if said plurality of data fields is verified as accurate, sending a signed 
object to the certification authority, said signed object comprising the proof of 
possession confirmation. 

1 6. The computer data signal of claim 1 5 , wherein said plurality of data 
fields further comprises: 

a host name; 

a subject identification; 

a subject public key information; and 

a sealed proof of possession. 
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17. The computer data signal of claim 16, wherein analyzing the content of 
said plurality of data fields further comprises: 

decrypting a proof of possession structure from said sealed proof of 

possession; 

extracting a password from said sealed proof of possession structure; 
extracting a key identifier from said proof of possession structure; and 
calculating a correct key identifier from said subject public key 

information. 

1 8. The computer data signal of claim 1 7, wherein the accuracy of said 
plurality of data fields is verified if: 

said host name is matched with an identity of said target host system; 
said extracted password is validated as a valid password for the end 

user; and 

said extracted key identifier is matched with said correct key identifier 
calculated from said subject public key information. 

19. The computer data signal of claim 1 7, wherein said extracted password 
and said extracted key identifier are initially symmetrically encrypted. 

20. The computer data signal of claim 17, wherein said extracted password 
and said extracted key identifier are initially asymmetrically encrypted. 

21. The computer data signal of claim 15, wherein: 
said plurality of data fields includes a password; and 
said signed object does not include said password. 
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